| opendevreview | Luis Tomas Bolivar proposed openstack/neutron master: Add support for FDB aging https://review.opendev.org/c/openstack/neutron/+/893333 | 05:39 |
|---|---|---|
| opendevreview | Slawek Kaplonski proposed openstack/neutron-tempest-plugin master: New basic API tests for the default SG rules templates CRUDs https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/883553 | 06:00 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: [OVN] Populate the "router.distributed" flag in ML2/OVN https://review.opendev.org/c/openstack/neutron/+/886992 | 07:28 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: [OVN] Set the Neutron port status based on "lsp.up" and "lsp.enabled" https://review.opendev.org/c/openstack/neutron/+/896939 | 07:33 |
| ralonsoh | hi folks, please check these patches to fix the CI: | 07:33 |
| ralonsoh | * https://review.opendev.org/c/openstack/neutron/+/897438 | 07:33 |
| ralonsoh | * https://review.opendev.org/c/openstack/neutron/+/897440 | 07:33 |
| ralonsoh | * https://review.opendev.org/c/openstack/neutron/+/897439 | 07:33 |
| ralonsoh | thanks! | 07:33 |
| lajoskatona | ralonsoh: checking | 07:39 |
| opendevreview | Slawek Kaplonski proposed openstack/neutron master: [S-RBAC] Add service role in neutron policy https://review.opendev.org/c/openstack/neutron/+/886724 | 07:55 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: Drop unused tables from the Neutron database https://review.opendev.org/c/openstack/neutron/+/897472 | 07:59 |
| ralonsoh | slaweq, hi! I know the patch is very big, but mostly repetitive: https://review.opendev.org/c/openstack/neutron/+/896509 | 08:00 |
| ralonsoh | all new policies are mimicking the existing ones (create, modify, delete) | 08:01 |
| ralonsoh | with the _tags sufix | 08:01 |
| slaweq | thx ralonsoh I commented it already | 08:11 |
| ralonsoh | slaweq, thanks! | 08:11 |
| slaweq | mostly nits but I gave -1 due to comments in the neutron/conf/policies/subnet.py file | 08:11 |
| ralonsoh | I'll check it right now | 08:12 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: Drop unused tables from the Neutron database https://review.opendev.org/c/openstack/neutron/+/897472 | 08:17 |
| opendevreview | Slawek Kaplonski proposed openstack/neutron master: Add dhcpagentscheduler API extension to the ML2/OVN extensions https://review.opendev.org/c/openstack/neutron/+/897528 | 09:02 |
| ykarel | ralonsoh, can you restore https://review.opendev.org/c/openstack/neutron/+/897462 | 09:02 |
| ykarel | sorry ignore | 09:02 |
| ralonsoh | is that affecting 2023.1 too? | 09:03 |
| ralonsoh | ahh ok | 09:03 |
| ralonsoh | I pushed that for 2023.2 | 09:03 |
| ykarel | i meant https://review.opendev.org/c/openstack/neutron/+/897440 | 09:03 |
| ykarel | but it's already there | 09:03 |
| slaweq | ralonsoh ykarel lajoskatona when You will have few minutes, please check https://review.opendev.org/c/openstack/neutron/+/897528 - it's small patch to review :) | 09:04 |
| ralonsoh | sure | 09:04 |
| opendevreview | yatin proposed openstack/neutron-tempest-plugin master: Include legacy_ebtables for LinuxBridge Jammy jobs https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/897529 | 09:11 |
| ykarel | ralonsoh, slaweq ^ also needed | 09:11 |
| opendevreview | Elvira García Ruiz proposed openstack/neutron stable/yoga: [OVN] Fix rate and burst for stateless security groups https://review.opendev.org/c/openstack/neutron/+/895663 | 09:12 |
| opendevreview | Elvira García Ruiz proposed openstack/neutron stable/yoga: Use safer methods to get security groups on security group logging https://review.opendev.org/c/openstack/neutron/+/897530 | 09:12 |
| ykarel | slaweq, ack | 09:12 |
| ralonsoh | right! | 09:12 |
| ralonsoh | slaweq, about https://review.opendev.org/c/openstack/neutron/+/897528, should we backport this patch? | 09:13 |
| ralonsoh | I think so | 09:13 |
| opendevreview | Elvira García Ruiz proposed openstack/neutron stable/xena: [OVN] Fix rate and burst for stateless security groups https://review.opendev.org/c/openstack/neutron/+/895783 | 09:15 |
| opendevreview | Elvira García Ruiz proposed openstack/neutron stable/xena: Use safer methods to get security groups on security group logging https://review.opendev.org/c/openstack/neutron/+/897531 | 09:15 |
| opendevreview | Elvira García Ruiz proposed openstack/neutron stable/wallaby: [OVN] Fix rate and burst for stateless security groups https://review.opendev.org/c/openstack/neutron/+/895785 | 09:19 |
| opendevreview | Elvira García Ruiz proposed openstack/neutron stable/wallaby: Use safer methods to get security groups on security group logging https://review.opendev.org/c/openstack/neutron/+/897532 | 09:19 |
| slaweq | ralonsoh yes, I will propose backports quickly once it will be merged in master | 09:35 |
| ralonsoh | perfect | 09:35 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: Add policy enforcer for "tags" service plugin https://review.opendev.org/c/openstack/neutron/+/896509 | 09:56 |
| opendevreview | Lajos Katona proposed openstack/neutron-tempest-plugin master: Tap Mirror API tests https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/886004 | 10:07 |
| *** gryf is now known as Guest2360 | 10:12 | |
| *** Guest2360 is now known as _gryf | 10:13 | |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: [RBAC] Update the subnet policies https://review.opendev.org/c/openstack/neutron/+/897540 | 10:50 |
| slaweq | ralonsoh or lajoskatona can You +W https://review.opendev.org/c/openstack/neutron/+/886724 maybe? Zuul is fine with it finally and we are at the beginning of the cycle so I think it's good time to go with this | 10:59 |
| ralonsoh | sure | 11:00 |
| ralonsoh | sone | 11:00 |
| ralonsoh | done | 11:00 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: Add policy enforcer for "tags" service plugin https://review.opendev.org/c/openstack/neutron/+/896509 | 11:05 |
| lajoskatona | slaweq: ralonsoh: :-) I was slow | 11:06 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: [fullstack] Unify ``TestMTUScenarios`` tests https://review.opendev.org/c/openstack/neutron/+/897542 | 11:39 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: [fullstack] Unify ``TestQoSPolicyIsDefault`` tests https://review.opendev.org/c/openstack/neutron/+/897544 | 11:47 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: Drop unused tables from the Neutron database https://review.opendev.org/c/openstack/neutron/+/897472 | 12:03 |
| opendevreview | Merged openstack/neutron master: Fix the ``log.setup`` method call with "fix_eventlet=False" https://review.opendev.org/c/openstack/neutron/+/897332 | 12:48 |
| mnaser | ralonsoh: happy friday -- i see you've commented on https://bugs.launchpad.net/neutron/+bug/1889388 at some point, i am most def running into this, do you have any hints that i could use to try and dig into this more? i _feel_ like i'm at a wall right now for this issue | 13:05 |
| opendevreview | Alban PRATS proposed openstack/neutron master: Enabling routing of routed subnets through snat. https://review.opendev.org/c/openstack/neutron/+/890459 | 13:10 |
| ralonsoh | mnaser, I'll check it but this bug is 3 years old, I don't know if that is valid now | 13:12 |
| ralonsoh | i'll try to reproduce it | 13:13 |
| mnaser | ralonsoh: i have an environment here that i have the same exact problem with.. could be some other 'form' of the same bug.. :( i havent tried to reproduce outside of that env but im fairly certain its an ovn/neutron thing | 13:13 |
| ralonsoh | mnaser, OVN will use the first subnet to provide the GW | 13:19 |
| ralonsoh | that means 1.1.1.0/24 | 13:19 |
| ralonsoh | how can you have a FIP in 2.2.2.0/24? | 13:20 |
| opendevreview | Alban PRATS proposed openstack/neutron master: Enabling routing of routed subnets through snat. https://review.opendev.org/c/openstack/neutron/+/890459 | 13:20 |
| mnaser | ralonsoh: the external provider network has two subnets, and you can get fips in both subnets | 13:20 |
| ralonsoh | yes but that won't work | 13:20 |
| ralonsoh | because the GW IP is from the first subnet | 13:21 |
| ralonsoh | so far, OVN routers provide one single GW IP and access to this CIDR only | 13:21 |
| mnaser | it did in ml2/ovs world, and im not sure how we'd work around it then, that seems like a pretty severe limitation in large scale envs where you hae a big public network | 13:21 |
| mnaser | also the fip actually works from everywhere | 13:22 |
| mnaser | except from hosts on teh same system | 13:22 |
| mnaser | (i agree with your theory fwiw) | 13:22 |
| ralonsoh | "my theory"? | 13:22 |
| mnaser | like it shouldnt work because the gw is not the same as the fip | 13:22 |
| mnaser | but it does for everything except for system on the same host | 13:23 |
| mnaser | in ml2/ovs, we would assign a network to a virtual router and then any FIP from any subnet worked | 13:24 |
| mnaser | this is still the case in ml2/ovn right now too, but with the exception that if they're on the same host, it seems to not be too happy about it | 13:24 |
| ralonsoh | because the traffic going outside a node is treated, in the other chassis, as external traffic | 13:26 |
| ralonsoh | in the same chassis there are no rules to nat from 1.1.1.0/24 to 2.2.2.0/24 | 13:27 |
| mnaser | is that the same as https://bugs.launchpad.net/neutron/+bug/2035281 ? | 13:27 |
| haleyb | ralonsoh, slaweq and other cores: i need to take today off and most of next week, in case you ping me and i don't respond. I'll be around next Tuesday though. | 13:27 |
| ralonsoh | I don't know, the case is different | 13:27 |
| *** haleyb is now known as haleyb|away | 13:27 | |
| mnaser | (i've dredged the heck out of ovn bugs for this issue) | 13:27 |
| racosta | mnaser, are you using chassis as gq? I mean, to attach an instance to the external network, this network needs to be created on the host (in the case of OVN, mapped to br-ext and the host needs to be gw "chassis-as-gw"). Otherwise you would see log messages like: "Refusing to bind port aaaaaaaa-aaaa on host HOST-1 due to the OVN chassis bridge mapping physical networks [] not supporting physical network: provider" | 13:28 |
| slaweq | haleyb thx for the heads up :) | 13:28 |
| mnaser | racosta: we avoid `enable-chassis-as-gw` on compute nodes since we dont want them serving centralized traffic, but users are able to plug directly into the external network (cause we do add the mapping) | 13:30 |
| opendevreview | yatin proposed openstack/neutron-tempest-plugin master: Add playbooks to irrelevant-files https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/897552 | 13:35 |
| ralonsoh | mnaser, when the GW port is created, the port creation process follow the same rules as any other | 13:35 |
| ralonsoh | that means if you have several IPv4 subnets, the IPAM module will assign only one of these IPs | 13:36 |
| ralonsoh | a FIP must be in the same CIDR of the GW port because it needs to have L2 communication to access to this IP | 13:37 |
| opendevreview | Merged openstack/neutron master: [S-RBAC] Add service role in neutron policy https://review.opendev.org/c/openstack/neutron/+/886724 | 13:37 |
| ralonsoh | if that is working between several CIDRs, is by coincidence | 13:37 |
| ralonsoh | and if that is working in all cases in ovs and not in ovn, we can't fix that | 13:37 |
| ralonsoh | that is not an expected behaviour | 13:38 |
| racosta | I agree with ralonsoh, you need a HW Vtep to route these two different networks via L3 (e.g. border leaves switches). | 13:47 |
| mnaser | well i have that already, both these networks have a def gw, but yeah, i see how the outbound would come from the 'wrong' ip | 13:48 |
| mnaser | ralonsoh: shouldn't we deny attaching a fip if the router isnt part of a external network CIDR? | 13:48 |
| ralonsoh | yes, that could be something to propose because doesn't make sense | 13:48 |
| mnaser | ralonsoh: https://paste.opendev.org/show/bUsXALn2ME7oaMp9LlFL/ so this is my state | 13:51 |
| mnaser | so fip in subnet .56.158 when router is .83.37 | 13:52 |
| racosta | wait, we are using different CIDR between router and FIP (but both are on the same physical network - VLAN). This works and makes sense because the external network domain is the VLAN. | 13:54 |
| mnaser | yeah | 13:54 |
| racosta | Please don't propose this FIP CIDR restriction ralonsoh because what happens when a subnet range of IPs ends up in a external subnet? you create another one and FIP can derive of that other network. | 14:00 |
| ralonsoh | ok, but the OVN won't work (at least in the same host) | 14:00 |
| ralonsoh | in OVS the kernel could route these packets | 14:01 |
| ralonsoh | in OVN there are no OF rules to nat subnet1 to subnet2 of this external network | 14:01 |
| mnaser | https://paste.opendev.org/show/bxMRYkmcCvkARtYx7KnS/ it seems like natting is actually happening | 14:03 |
| ralonsoh | between what CIDRs? | 14:03 |
| ralonsoh | not the external subnets in the same host | 14:03 |
| ralonsoh | this is exactly the description you updated in the LP bug | 14:04 |
| mnaser | cause ICMP works btw, but TCP doesn't | 14:04 |
| mnaser | i think my suspicion is that the traffic is coming back from the virtual router _directly_ to the vm rather than being sent back to the gateway | 14:09 |
| mnaser | and if it was sent to the gateway, it'd be fine, but its almsot like its short-circuiting and sending replies straight to the vm, instead of actually sending the reply to the gateway | 14:09 |
| mnaser | cause you can see packet goes towards hw gateway (fa:61:25:a2:5a:71) but the reply comes from fa:16:3e:ff:88:8a (virtual router) | 14:10 |
| mnaser | so there _is_ traffic flowing, its not nothing, but i think because of that 'mismatch' tcp/stateful traffic isnt working, but normal icmp is working cause there's no state | 14:11 |
| mnaser | if ovn was to be told to NOT short-circuit this traffic and send it back to its gateway, back to the hardware gateway, and then back to the vm, it would work just fine (but then it wouldn't be very efficient but it always works) | 14:11 |
| mnaser | im sorry if the terminology is all wrong here, im slowly working on my ovn chops :( | 14:12 |
| ralonsoh | I'll open a bug to core OVN. But traffic to IPs in the same chassis won't go outside | 14:14 |
| ralonsoh | what you are asking is to have some kind of nating between external network subnets | 14:14 |
| ralonsoh | or some kind of ip forwarding | 14:15 |
| mnaser | ralonsoh: in this case they are going outside so maybe that is the bug, bc if i tcpdump br-ex, or the external provider interface, im seeing the traffic going to 38.129.56.158 | 14:19 |
| mnaser | so egress traffic actually goes to provider network, but return traffic is coming directly through ovn | 14:20 |
| ykarel | slaweq, a small patch when you get chance https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/897552 | 14:54 |
| ykarel | ralonsoh, cyclic dep b/w https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/897529 and https://review.opendev.org/c/openstack/neutron/+/897440 | 15:03 |
| ralonsoh | ykarel, join both in one | 15:04 |
| ralonsoh | ah no | 15:04 |
| ralonsoh | sorry | 15:04 |
| ralonsoh | this is not the same project | 15:04 |
| ralonsoh | ykarel, ok, I'm going to disable LB job in neutron | 15:05 |
| ralonsoh | then merge the neutron patch | 15:05 |
| ralonsoh | and then n-t-p | 15:05 |
| ykarel | okk | 15:07 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron stable/2023.1: [stable-only] Disable "neutron-tempest-plugin-jobs-2023-1" temporarily https://review.opendev.org/c/openstack/neutron/+/897565 | 15:10 |
| ralonsoh | ykarel, ^ once we have the Neutron patch merged, I'll revert this patch | 15:10 |
| ralonsoh | I'll fast approve it | 15:10 |
| ykarel | okk | 15:11 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron stable/2023.1: Add "jammy" distribution release to the legacy ebtables installation https://review.opendev.org/c/openstack/neutron/+/897440 | 15:15 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: Add a new extension "security-groups-rules-belongs-to-default-sg" https://review.opendev.org/c/openstack/neutron/+/883907 | 15:36 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron master: DNM WIP Remove network RBACs from subnet view https://review.opendev.org/c/openstack/neutron/+/897578 | 16:59 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron stable/2023.1: [stable-only] Disable "neutron-tempest-plugin-jobs-2023-1" temporarily https://review.opendev.org/c/openstack/neutron/+/897565 | 17:02 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron stable/2023.1: [stable-only] Disable "neutron-tempest-plugin-jobs-2023-1" temporarily https://review.opendev.org/c/openstack/neutron/+/897565 | 19:30 |
| opendevreview | Rodolfo Alonso proposed openstack/neutron stable/2023.1: Add "jammy" distribution release to the legacy ebtables installation https://review.opendev.org/c/openstack/neutron/+/897440 | 22:23 |
| opendevreview | Merged openstack/neutron stable/2023.1: [stable-only] Disable "neutron-tempest-plugin-jobs-2023-1" temporarily https://review.opendev.org/c/openstack/neutron/+/897565 | 23:44 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!